Good to see landmark developments happening in the cyber security arena in the country! First the long due National Cyber Security Policy was announced and yesterday (July 20, 2013) the Guidelines for National Critical Information Infrastructure Protection have been released.
This Guidelines were prepared by the CIP wing of NTRO - National Crititcal Information Infrastructure Protection Centre (NCIIPC) and were released into the public domain by the National Security Advisor Mr Shivshankar Menon.
The document has been brought out by a Joint Working Group chaired by N. Balakrishnan (Associate Director of IISc, Bangalore), Virat Bhatia (Chairman, FICCI Communication and Digital Economy Committee), NASSCOM (Former President), Kiran Karnik (Chairman, CII National Telecom Committee) and Muktesh Chander (Joint Commissioner, Delhi Police - until recently Centre Director, NTRO).
[Dinesh] Happy to see the first output of public and academic participation in the cyber security domain at the centre. Would have liked the group to be more broad based but nevertheless, am happy :)
As per the newspaper reports in TOI and The Hindu the guidelines provide for tough punishment. Cyber attacks on ministries, power, telecom could be termed cyber terrorism and can invite life imprisonment and that these would be declared protected systems!
[Dinesh] We have tough punishments under the ITA and now we have some more, but really, CI attacks are expected to be launched by state actors and not individuals .... waiting to read the document before i write more but you get the drift.
The NTRO will identify eight sectors which will include energy, aviation and space, telecom, transportation, finance, security and law enforcement, government ... these will be declared protected systems and NTRO will monitor whether they are following the Guidelines.
[Dinesh] TOI mentions National Stock Exchange, in that case are BSE, MCX also included? Does transportation include road, rail network ? Newspaper has not mentioned Water.... waiting for the document to be released. Is the sector just mentioned or is there more detail there.
The guidelines prescribe 40 generic and guiding controls and then each individual sector will create their own sectoral controls.
[Dinesh] the question is who will create these controls and is there any guidance for this. Who has the expertise for this!
In addition to the expectations mentioned above I also hope that there will be a supplementary and detailed document which will follow these Guidelines. Just a set of guidelines without detailed explanation of the intent and expectations will be difficult and will leave a lot of room for speculation and means of exiting without implementation!
Presently the formation of NCIIPC entity has been announced but the organization exists only in name as the final Government orders have not been issued (I have not come to know about this yet). An officer was appointed to head NCIIPC but has moved on and this position is to be filled. So the question that comes up is - who will operationalize the Guidelines and bring the same level of thought leadership to the position. The position needs a lot of work, a strong vision, in-depth knowledge of the cyber security / CIP threat scenario and so much more.
Time is running out and good, strong action by the office of the NSA to drive this change is needed, as of day-before-yesterday.
As I have said - this action is welcome and one looks forward to more proactive and positive moves soon.
On an unrelated note - Professor Balakrishnan has also been carrying on the task of creating the TETC and this has been going on for the past few years. Nothing of value has been reported over the last three years and more and I do hope that project also moves into the fast lane. The TETC is the Telecom Equipment Test Center which was thought up long back in the wake of the frightening news about Chinese equipment.
NOTE:
At the time of writing this blog the document has not yet been placed in the public domain but one expects this to be good because of the composition of the group and the presence of someone who knows his job very well (and I do not want to put a name to the person).
Labels: CIIP, CIP, Critical Infrastructure Protection, government of india, India - Policies and Guidelines, National Critical Information Infrastructure Guidelines, national security, NCIIPC, NTRO